Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69141

CVE-2025-69141: Kelly Young Path Traversal Vulnerability

CVE-2025-69141 is an unauthenticated local file inclusion flaw in Kelly Young versions 1.1.0 and earlier that allows attackers to access sensitive files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-69141 Overview

CVE-2025-69141 is an unauthenticated Local File Inclusion (LFI) vulnerability affecting the Kelly Young WordPress theme in versions up to and including 1.1.0. The flaw is categorized under [CWE-98] (Improper Control of Filename for Include/Require Statement in PHP Program). Unauthenticated remote attackers can manipulate a file path parameter to force the application to include arbitrary files from the server. Successful exploitation can disclose sensitive configuration files, leak credentials, and in some PHP deployments lead to remote code execution through log poisoning or session file abuse.

Critical Impact

Unauthenticated attackers can read arbitrary local files and may achieve code execution on WordPress sites running vulnerable Kelly Young theme versions.

Affected Products

  • WordPress theme: Kelly Young, versions <= 1.1.0
  • WordPress installations using the Kelly Young theme as active or installed theme
  • PHP-based hosting environments serving the vulnerable theme files

Discovery Timeline

  • 2026-06-17 - CVE-2025-69141 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-69141

Vulnerability Analysis

The vulnerability resides in how the Kelly Young theme constructs file paths for PHP include or require statements. The theme accepts user-controlled input and passes it directly to a file inclusion function without sufficient sanitization or allowlisting. Because the entry point requires no authentication, any remote visitor can trigger the inclusion. The Patchstack advisory confirms the issue is reachable in versions 1.1.0 and earlier. The EPSS probability is 0.348% with a percentile of 26.52, indicating moderate exploitation likelihood.

Root Cause

The root cause is improper neutralization of filename input passed to a PHP file inclusion sink, which is the defining pattern of [CWE-98]. The theme trusts request parameters and concatenates them into an include/require call without restricting the path to a known directory or sanitizing traversal sequences such as ../. PHP wrappers like php://filter may also be processed, broadening the impact.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker issues an HTTP request to the vulnerable theme endpoint with a crafted parameter referencing a target file path. The server reads and executes the referenced file under the PHP process context. The vulnerability can be chained with file upload primitives or log poisoning to escalate from arbitrary file read to arbitrary PHP execution.

No verified exploit code is publicly catalogued. See the Patchstack WordPress Vulnerability Report for technical details.

Detection Methods for CVE-2025-69141

Indicators of Compromise

  • HTTP requests to Kelly Young theme PHP files containing path traversal sequences such as ../../, ..%2f, or %252e%252e%252f
  • Request parameters referencing sensitive files like wp-config.php, /etc/passwd, or /proc/self/environ
  • Use of PHP stream wrappers in query strings, including php://filter, php://input, or data://
  • Outbound or internal access to theme files immediately followed by unusual PHP process activity or new file creation in wp-content/uploads

Detection Strategies

  • Inspect web server access logs for requests targeting /wp-content/themes/kelly-young/ containing suspicious file path parameters
  • Deploy web application firewall rules that flag traversal patterns and PHP wrapper schemes in GET and POST parameters
  • Correlate unauthenticated requests to theme endpoints with subsequent reads of sensitive files at the operating system level

Monitoring Recommendations

  • Enable PHP open_basedir violation logging to capture out-of-scope file access attempts
  • Monitor WordPress file integrity for unexpected changes to theme, plugin, and core PHP files
  • Track HTTP response sizes for theme endpoints, as LFI responses often differ substantially from normal page loads

How to Mitigate CVE-2025-69141

Immediate Actions Required

  • Disable or remove the Kelly Young theme on all WordPress sites until a fixed version is confirmed available
  • Switch active sites to a maintained alternative theme to eliminate exposure of vulnerable theme files
  • Review web server access logs for prior exploitation attempts referencing the theme path
  • Rotate WordPress secrets in wp-config.php, database credentials, and any API keys if exploitation is suspected

Patch Information

No fixed version is documented in the supplied advisory data. Administrators should monitor the Patchstack WordPress Vulnerability Report and the theme vendor for an updated release that supersedes version 1.1.0. Apply the patch as soon as it becomes available.

Workarounds

  • Block external access to the vulnerable theme PHP entry points at the web server or reverse proxy layer
  • Configure WAF signatures to reject requests containing path traversal sequences or PHP stream wrappers
  • Set PHP allow_url_include = Off and restrict open_basedir to the WordPress document root
  • Apply least-privilege filesystem permissions so the PHP worker cannot read sensitive system files
bash
# Example nginx rule to block traversal and wrapper schemes against the theme path
location ~* /wp-content/themes/kelly-young/ {
    if ($args ~* "(\.\./|\.\.%2f|php://|data://|file://)") {
        return 403;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.